[ossec-list] RE : [ossec-list] Re: Questions about syscheckd and rootcheckd

Fri, 22 Sep 2006 07:53:39 -0700 

Many thanks, Daniel.

I've just removed "/dev/null" from server. And I use OSSEC 0.9-1a for server
and agents.

Here is ossec.log of server (not full because of servers names ;-)):

_______________________________________________

2006/09/22 16:36:33 ossec-maild: Started (pid: 31107).
2006/09/22 16:36:33 ossec-execd: Started (pid: 31114).
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'rules_config.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'pam_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
2006/09/22 16:36:33 ossec-logcollector(1905): No file configured to monitor.
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'telnetd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
2006/09/22 16:36:33 ossec-remoted: Started (pid: 31137).
2006/09/22 16:36:33 ossec-remoted: Started (pid: 31139).
2006/09/22 16:36:33 ossec-analysisd: Reading rules file:
'arpwatch_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'pix_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'named_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'smbd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file:
'pure-ftpd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file:
'hordeimp_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'web_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'apache_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'ids_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file:
'firewall_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file:
'netscreenfw_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file:
'sendmail_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'imapd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file:
'mailscanner_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'racoon_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'policy_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'attack_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Reading rules file: 'ftpd_rules.xml'
2006/09/22 16:36:33 ossec-analysisd: Total rules enabled: '409'
2006/09/22 16:36:33 ossec-analysisd: Started (pid: 31123).
2006/09/22 16:36:34 ossec-remoted:
[...]
2006/09/22 16:36:37 ossec-syscheckd: Started (pid: 31154).
2006/09/22 16:36:37 ossec-syscheckd: No directories to check.
2006/09/22 16:37:39 ossec-rootcheck: No rootcheck_files file configured.
2006/09/22 16:37:39 ossec-rootcheck: No rootcheck_trojans file configured.

_______________________________________________

On agents, everything is ok: all daemons start without any problem, no
errors.

I can confirm that agents communicate with servers, because I receive alerts
emails. But in alerts.log, there is anything regarding Syscheck...

However, I have a little doubt about levels, as asked in another email sent
30 minutes ago !

Fred



-----Original Message-----
From: [email protected] [mailto:[EMAIL PROTECTED] On
Behalf Of Daniel Cid
Sent: Friday, September 22, 2006 4:13 PM
To: [email protected]
Subject: [ossec-list] Re: Questions about syscheckd and rootcheckd


Hi Fred,

Response inline..


On 9/22/06, Fred <[EMAIL PROTECTED]> wrote:
>
>
> Hello everybody,
>
> I have a question about syscheckd and rootcheckd.
>
> I have a server and about 14 agents. Each agent has syscheck and rootcheck
> directives configured. But as I'm not interested in checking server, I put
> following directives on server:

If you don't want to check the server, just don't add any localfile entry or
any rootcheck entry. I don't know if adding /dev/null may cause any problem
since it is a char device.


>     - when I start server, I get following error messages:
>
> 2006/09/22 06:47:52 ossec-rootcheck: No rootcheck_files file configured.
> 2006/09/22 06:47:52 ossec-rootcheck: No rootcheck_trojans file configured
>
> 2006/09/15 13:20:40 ossec-syscheckd: Started (pid: 7835).
> 2006/09/15 13:20:40 ossec-syscheckd: No directories to check

That's fine on the server. It means it is not doing anything locally.. Can
you
show us your full log message (for server and one agent at least)?


>     - and above all, I never got any alerts about syscheck and rootcheck
> problems. Maybe ok for rootcheckd, but not for syscheckd.

Is there anything on your servers logs? (/var/ossec/logs/ossec.log) Can the
agents communicate with the server (is there anything at
/var/ossec/queue/agent-info)? What /var/ossec/logs/alerts/alerts.log
has?
Btw, which version are you using?


>
> ==> So, should I configure some directives on server in order to receive
> alerts emails from agents ?

You only need analysisd and remoted configured to receive events from the
agents. Logcollector, syscheckd and rootcheckd are not required.


> ==> 2nd question: when I put a directory in syscheck rules, is Agent going
> to check this directory and his children (so, is this recurrent) ? Or
should
> I put each directory ?

It is recursive. So if you want to monitor the /etc directory, just give
/etc
and it will monitor all sub directories and files.


> Thanks very much !
>
> Fred
>


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply via email to